'Re: Severe IE flaw undermines SSL (Due Failure to check'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Severe IE flaw undermines SSL (Due Failure to check
From:       "John Lambert (NT)" <johnla () WINDOWS ! MICROSOFT ! COM>
Date:       2002-08-15 18:31:36
[Download RAW message or body]


>For the latest version of MSIE, approximately seven hundred 
>(700 mouse clicks to disable the hardcoded certs, 
>that's not a typo

It's not that bad.

In Windows XP and .NET server you can disable the 3rd party roots via
group policy.  In XP we split the root store internally into two parts:
(1) the roots needed for the OS to work and (2) the 3rd party roots. You
can turn off #2 for your entire domain or any organizational unit.  You
can also add just the roots you want your users to trust via group
policy.

Using an XP/.NET Server group policy editor go to:
Computer configuration, Windows settings, security settings, Public key
policies, Trusted Root Certification Authorities, right-click
Properties.   If you don't want your users to trust the 100+ commercial
CA's that ship in the box, ensure that "Client computers can trust the
following certificate stores" is set to "Enterprise Root Certification
Authorities". 

I estimate about 7 mouse clicks.

John

-----Original Message-----
From: Peter Gutmann [mailto:pgut001@CS.AUCKLAND.AC.NZ] 
Sent: Wednesday, August 14, 2002 7:19 PM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: Re: Severe IE flaw undermines SSL (Due Failure to check
Certificate Constraints)

"Eugene C. Williams" <williamsec@HUNTSVILLE.SPARTA.COM> writes:

>Is there anyone out there who can tell me how many features of the
browser
>certificate verification process that would have to be turned off to
>facilitate this "attack?"  How many warnings would be "clicked off" by
the
>user to allow this problem to result in a successful session theft?

For the latest version of MSIE, approximately seven hundred (700 mouse
clicks
to disable the hardcoded certs, that's not a typo).

Peter.

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic